CVE-2023-53142

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: copy last block omitted in ice_get_module_eeprom()<br /> <br /> ice_get_module_eeprom() is broken since commit e9c9692c8a81 ("ice:<br /> Reimplement module reads used by ethtool") In this refactor,<br /> ice_get_module_eeprom() reads the eeprom in blocks of size 8.<br /> But the condition that should protect the buffer overflow<br /> ignores the last block. The last block always contains zeros.<br /> <br /> Bug uncovered by ethtool upstream commit 9538f384b535<br /> ("netlink: eeprom: Defer page requests to individual parsers")<br /> After this commit, ethtool reads a block with length = 1;<br /> to read the SFF-8024 identifier value.<br /> <br /> unpatched driver:<br /> $ ethtool -m enp65s0f0np0 offset 0x90 length 8<br /> Offset Values<br /> ------ ------<br /> 0x0090: 00 00 00 00 00 00 00 00<br /> $ ethtool -m enp65s0f0np0 offset 0x90 length 12<br /> Offset Values<br /> ------ ------<br /> 0x0090: 00 00 01 a0 4d 65 6c 6c 00 00 00 00<br /> $<br /> <br /> $ ethtool -m enp65s0f0np0<br /> Offset Values<br /> ------ ------<br /> 0x0000: 11 06 06 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> 0x0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> 0x0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> 0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> 0x0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> 0x0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> 0x0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 01 08 00<br /> 0x0070: 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> <br /> patched driver:<br /> $ ethtool -m enp65s0f0np0 offset 0x90 length 8<br /> Offset Values<br /> ------ ------<br /> 0x0090: 00 00 01 a0 4d 65 6c 6c<br /> $ ethtool -m enp65s0f0np0 offset 0x90 length 12<br /> Offset Values<br /> ------ ------<br /> 0x0090: 00 00 01 a0 4d 65 6c 6c 61 6e 6f 78<br /> $ ethtool -m enp65s0f0np0<br /> Identifier : 0x11 (QSFP28)<br /> Extended identifier : 0x00<br /> Extended identifier description : 1.5W max. Power consumption<br /> Extended identifier description : No CDR in TX, No CDR in RX<br /> Extended identifier description : High Power Class (&gt; 3.5 W) not enabled<br /> Connector : 0x23 (No separable connector)<br /> Transceiver codes : 0x88 0x00 0x00 0x00 0x00 0x00 0x00 0x00<br /> Transceiver type : 40G Ethernet: 40G Base-CR4<br /> Transceiver type : 25G Ethernet: 25G Base-CR CA-N<br /> Encoding : 0x05 (64B/66B)<br /> BR, Nominal : 25500Mbps<br /> Rate identifier : 0x00<br /> Length (SMF,km) : 0km<br /> Length (OM3 50um) : 0m<br /> Length (OM2 50um) : 0m<br /> Length (OM1 62.5um) : 0m<br /> Length (Copper or Active cable) : 1m<br /> Transmitter technology : 0xa0 (Copper cable unequalized)<br /> Attenuation at 2.5GHz : 4db<br /> Attenuation at 5.0GHz : 5db<br /> Attenuation at 7.0GHz : 7db<br /> Attenuation at 12.9GHz : 10db<br /> ........<br /> ....